antirootkits

Overview Versions Insights

mablanco.antirootkits

Ansible role to deploy several rootkit and malware detection tools:

  • Rkhunter: rootkit, backdoor, sniffer and exploit scanner
  • chkrootkit: rootkit detector
  • Unhide: forensic tool to find hidden processes and TCP/UDP ports by rootkits
  • Shell Detector: application that helps you find and identify php/cgi(perl)/asp/aspx shells

Debian, RHEL and their respective derivatives are supported. chkrootkit is not available for RHEL.

Role Variables

Tools to install

The following variables control whether a tool is installed (true) or not (false). All variables default to 'false'.

  • rkhunter
  • chkrootkit
  • unhide
  • shelldetector

General setup

  • antirootkits_mail_cmd: Command to send reports (varies between Debian and RHEL)
  • antirootkits_mail_from: Sender email address for the audit reports. No valid default, you have to fill it in.
  • antirootkits_mail_to: Receiver email address for the audit reports. No valid default, you have to fill it in.
  • antirootkits_log_expire: Days before logs are purged. Defaults to '90'.
  • antirootkits_rkhunter_diag_scan: Include application check for detailed report scan. Defaults to 'no' (RHEL only)

Unhide setup

  • unhide_cron_hour: Hour of execution of Unhide's cron job. Defaults to '6'.
  • unhide_cron_minute: Minute of execution of Unhide's cron job. Defaults to '00'.

Shell Detector setup

  • shelldetector_install_directory: Install directory. Defaults to '/opt/Shell-Detector'.
  • shelldetector_scan_directory: Directory to scan. Defaults to '/var/www'.
  • shelldetector_cron_hour: Hour of execution of Shell Detector's cron job. Defaults to '6'.
  • shelldetector_cron_minute: Minute of execution of Shell Detector's cron job. Defaults to '30'.

Rkhunter setup

  • rkhunter_allow_ssh_root_user: Define what rkhunter should expect in sshd config. Defaults to 'no'.

Example playbook

Example of how to use this role:

- hosts: servers
  vars:
     antirootkits_mail_from: '[email protected]'
     antirootkits_mail_to: '[email protected]'
  roles:
     - { role: mablanco.antirootkits }

License

GPLv3

About

Linux antirootkit tools deployment

role security
Install
ansible-galaxy install mablanco/ansible-antirootkits
GitHub repository
4 stars
4 forks
1 open issues
License
gpl-3.0
Downloads
2047
Owner
Marco Antonio Blanco
DevSecOps & Cloud Engineer, FOSS advocate and Agile supporter.